With help from Eric Geller and Martin Matishak
Editor’s Note: Morning Cybersecurity is a free version of POLITICO Pro Cybersecurity’s morning newsletter, which is delivered to our subscribers each morning at 6 a.m. The POLITICO Pro platform combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
— Today’s RSA Conference highlights include looks at industrial control system threats and how to develop secure software.
— DoD and Huawei went toe-to-toe at the conference on Wednesday over the security risks posed by the Chinese telecom.
— Polls out today shed light on Super Tuesday election security fears and how ready state and local government employees are for ransomware.
HAPPY THURSDAY and welcome to Morning Cybersecurity! A colleague asked your MC host, “Is RSA fun?” I’ve been flummoxed to answer. Send your thoughts, feedback and especially tips to firstname.lastname@example.org. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
RSAC, DAY FOUR — We’re hitting the stretch run at the RSA Conference, which means things are slowing down and will be at a crawl by Friday. Eric and your MC host are watching a few things today, though, disbursed between a blizzard of interviews and meetups. Among them: Rob Lee, CEO of Dragos, gives a keynote speech on the cyberthreat landscape, while NIST, SAFECode and BSA | The Software Alliance speak on a panel about secure software development.
WHOSE IDEA WAS THIS ONE — A top DoD official and Huawei USA’s chief security officer clashed on Wednesday at RSAC over keeping the Chinese telecom company out of Pentagon networks. First off, DoD has no choice but to enforce a legal ban Congress put in place, said Katie Arrington, chief information security officer for the office of the undersecretary of Defense for acquisition. But DoD intelligence indicated Huawei is too much of a risk, she said. “You are willing to convey control to another country,” and that’s a problem in the U.S., “period.” Arrington said that when there’s a product that can “take over, run or manipulate the most critical things in our country, why would you not want to be sure that company has all the right philosophical endeavors? They don’t.”
Huawei’s Andy Purdy contended that banning his company, however, was more likely to create security problems for the defense industrial base that relies on its equipment. Purdy said that it’s more important to evaluate products individually than base an evaluation on the country it’s from; “we need to make sure we can find the bad stuff in all the products.”
DETERRENCE OPTIMISM — The U.S. government needs to improve its attribution and retaliation capabilities in order to successfully deter malicious cyber activity, an FBI official said Wednesday at RSAC. “Some people scoff at the idea that we’re going to be successful in deterring these sorts of activities, because they’re happening all the time, so clearly we didn’t deter the last one,” Steven Kelly, chief of cyber policy in the FBI’s Cyber Division, said during a deterrence panel. But with rapid attribution and response mechanisms, deterrence is possible, he said, although it will take a different form than it did during the Cold War. “This is much different in the nuclear context,” Kelly observed, because “this stuff is happening all the time.”
During the same panel, other officials hammered home the importance of repeated attribution announcements as the foundation of emerging international norms. Allies need to develop a consensus about unacceptable behavior and demonstrate that consensus through public accusations in order to establish new customary international law, said Thomas Wingfield, the deputy assistant secretary of defense for cyber policy. That, he said, is how the “ocean liner of international law moves in the right direction.”
The U.S. used to be the only country willing to do this, but that is changing, said Adam Hickey, the deputy assistant attorney general for national asset protection. Other countries, he said, are “no longer afraid to say” that Russia or another country is responsible for a cyberattack.
LESSON LEARNED — The Iowa Democratic caucuses app debacle highlighted the importance of incident response planning, CISA Election Security Initiative Director Geoff Hale said during a panel Wednesday. The app’s flaws also underscored other best practices, he said: “Auditability and software independence is one of the tenets of security that we’re espousing.” In general, though, Hale said CISA has “been thrilled by the galvanization of the [elections] community” around cybersecurity — something he said he’d never seen happen so quickly in a critical infrastructure sector.
Even so, risks remain for this year’s election. Hale expressed concern about malefactors falsely claiming to have hacked election systems — and voters believing it because they distrust the process. When adversaries hear about malfunctions, “they just have to claim that they were there,” he said. “And if we aren’t in a position to disprove the [claims], we are effectively undermining confidence in the institution on our own. We’ve got a lot of work [to do] in [improving] voter resilience and … countering the misinformation in advance of any type of cyberattack.”
— ELSEWHERE WEDNESDAY AT THE CONFERENCE: John Demers, the assistant attorney general for national security, said President Donald Trump conflating trade and cybersecurity hasn’t made it harder for DOJ to go after Chinese hackers. Also, Hill aides discussed their legislative priorities on cybersecurity.
FIRST IN MC: SUPER TUESDAY HACK SAFETY CONFIDENCE LOW — Two-thirds of voting-age adults in Super Tuesday states believe the election is vulnerable to foreign interference, a poll by cybersecurity company CRITICALSTART discovered. While most believe their states are trying to address the problem, about half the respondents said they feel more confident with in-person paper ballots, and those who believe their state is secure are 2.3 times more likely to say they would vote on Super Tuesday. Tennessee voters were the most confident, while California and Texas voters were the least.
MORE VIEWS FROM THE STATES — Just 38 percent of state and city government employees have undergone training to respond to a ransomware attack, despite 73 percent of them citing such attacks as a major fear, IBM Security found in a poll out today. More than half were more worried about cyberattacks than other kinds of threats, with 63 percent saying specifically that they were worried about the 2020 elections being disrupted. And over half said their cybersecurity budgets have remained stagnant, even though 1 in 6 said their government had suffered a ransomware attack.
SURVEIL THIS SPACE — The House Judiciary Committee abruptly postponed a vote on legislation that would extend key intelligence authorities after Rep. Zoe Lofgren (D-Calif.) planned to introduce a series of amendments, POLITICO learned. Senior House Democrats viewed the proposals, plucked from Lofgren’s own bipartisan surveillance measure, H.R. 5675, as “poison pills” that would sink the bill, which was negotiated by the Judiciary and Intelligence committees. “You can’t just do some side deal and then expect all the members of the committee just to not do their job,” Lofgren told Martin after the vote was scrapped. “It was such puny reform.”
Lofgren admitted one possibility is that all of the authorities expire as planned on March 15, adding she would “soon” introduce legislation authorizing one of the intelligence powers: roving wiretaps. She also didn’t rule out making a similar push if and when the panel vote is rescheduled. “I’m willing to talk to anybody who’s got a reasonable plan. The bill as introduced by the committee was not one I thought was worth supporting,” Lofgren said. Lofgren’s move wasn’t the only one potentially complicating the reauthorization debate.
DoD MISCONFIGURATION: NOT GOOD — Sen. Mark Warner (D-Va.) on Wednesday urged the Pentagon to re-evaluate its cybersecurity measures following news this month of malware exploiting a misconfiguration discovered on a DoD server to mine cryptocurrency. “It is crucial to ensure that future incidents involving open vulnerabilities and improper access configurations that permit malware installation on federal information technology systems cannot reoccur, including on systems hosted by commercial cloud service providers,” Warner wrote. He also said the incident illustrated the value of coordinated vulnerability disclosure programs and the need for his legislation (S. 734) requiring them for internet of things contractors.
TWEET OF THE DAY — Post-CrowdStrike Dmitri is letting loose!
RECENTLY ON PRO CYBERSECURITY — Sen. Ed Markey (D-Mass.) said a breach at the facial recognition firm Clearview placed a spotlight on the dangers of its work with law enforcement. … U.S. courts saw a big uptick in cyberattacks, a federal judge told lawmakers. … The Aspen Cybersecurity Group announced an expansion of its initiative to bolster cybersecurity and high-tech workforces. … Nokia and Ericsson are set to testify before the Senate Commerce panel about 5G supply chain security. … “Coronavirus accelerates China’s big data collection but privacy concerns remain.”
— Apps that appear on at least one blacklist, such as VirusTotal, fell by 76 percent from 2018 to 2019, RiskIQ said in a report out today. That means mobile got safer, but the mobile landscape got bigger and more complicated, with the company cataloguing 18 percent more apps overall worldwide, led by China.
— ESET: Meet kr00k, a major Wi-Fi vulnerability.
— CyberScoop: Iranian hackers are conducting espionage against governmental organizations in Iraq, Jordan and Turkey, Dell Secureworks said.
— The Carnegie Endowment for International Peace has a report on international cyber norms.
— ZDNet: U.S. prosecutors had to drop charges against six suspected drug dealers after a ransomware infection led to lost files at a Florida police department.
— Wired: “How a Hacker’s Mom Broke Into a Prison — and the Warden’s Computer.”
— Tallahassee Democrat: Florida made counties sign nondisclosure agreements “before they could receive federal funding for elections security, be briefed about vulnerabilities found by cybersecurity experts or even hook up to the state’s voter registration system.”
That’s all for today.
Stay in touch with the whole team: Mike Farrell (email@example.com, @mikebfarrell); Eric Geller (firstname.lastname@example.org, @ericgeller); Martin Matishak (email@example.com, @martinmatishak); and Tim Starks (firstname.lastname@example.org, @timstarks).